OSX.Pirrit adware: gains full control of the infected Mac computer

Some time ago, OSX.Pirrit virus was bothering Mac users with annoying and intrusive ads. However, now it seems to be capable of using even more malicious features. According to the malware researchers, currently, it can gain root access and spy on people's browsing routine or steal valuable information, such as bank log-in names, passwords, etc[1].

Amit Serper, the principal security researcher at Cybereason, is highly surprised that the new MacOS malware is spreading so rapidly[2]:

And, to my surprise, it’s very active. Not only is it still infecting people’s Macs, OSX.Pirrit’s authors learned from one of their mistakes (They obviously read at least one of our earlier reports).

The previous versions of Pirrit adware used browser plug-ins or downloaded Proxy server to hijack the regular browsers. Now, the malware abuses AppleScript which is a built-in scripting language on all Mac computers[3].

TargetingEdge claims that their software is legitimate

TargetingEdge was aware of the malware analysis report by Amit and tried their best to stop him from publishing it[4]. Even though it is evident that OSX.Pirrit code is able to perform the malicious activity, its developers try to prove its legitimacy:

We develop and operate a legitimate and legal installer product for MAC users. As well known to Cybereason, our product is not Malware, it does not include any features of Malware and it does not harm or damage or intended to cause any damages to the product user’s device, nor ”hacks” “spy” or ”takes over” the browser or uses any other malicious” or ”non-transparent” means.

It is essential to mention that Cybereason is one of the other 27 security programs which detect OSX.Pirrit as malware as well[5]. Despite the attempts of the contrivers to distance themselves from their product, Amit has clear evidence which shows the linkage of the former TargetingEdge employee to the adware:

January 2017, a former TargetingEdge employee, whose name was one of the two found in the dropped files that led us to the company, sent Cybereason his resumé, which clearly establishes a connection between TargetingEdge and OSX.Pirrit.

Tips to protect Mac computers from adware

Malware analyst from Webroot, Kelvin Murray, says that any noticeable changes on the device should be immediately reported to the Admin. Additionally, he warns about the following:

In addition, admins need to take the usual security measures including software updates, AV, and user education. Both the admin and users need to see this as yet another sign that Macs are not “virus proof” as is so commonly assumed and often ignored.

Our IT professions would also like to encourage you to take precautionary measures and carefully monitor the process of freeware installation. Typically, adware programs are bundled together with free applications and offered as one. This way people unconsciously infiltrate the ad-supported program.

Likewise, use a powerful security software to perform OSX Pirrit removal and protect you credentials from this less than reliable application.

About the author

Lucia Danes
- Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.